Authentication Overview

Authentication refers to the process of determining a client's identity.
Authorization refers to the process of determining what permissions an
authenticated client has for a set of resources. That is, authentication
identifies who you are, and authorization determines what you can do.

You can authenticate to a Google Cloud Platform (GCP) API using service
accounts or user accounts, and for APIs that don't require authentication, you
can use API keys.

Service accounts

A service account is a Google account that represents an application,
as opposed to representing an end user.

Important: For almost all cases, whether you are
developing locally or in a production application, you should use service
accounts, rather than user accounts or API keys.

You can use a service account by
providing its private key to your application, or by using the built-in
service accounts available when running on Google Cloud Functions, Google
App Engine, Google Compute Engine, or Google Kubernetes Engine.

All GCP APIs support service accounts. For most server applications that need
to communicate with GCP APIs, we recommend using service accounts, as they are
the most widely-supported and flexible way to authenticate.

User accounts

You can authenticate users directly to your application, when the application
needs to access resources on behalf of an end user.

Example use cases include:

Your application needs to access Google BigQuery datasets that are in projects
owned by users of your application.

Your application uses an API such as the Cloud Resource Manager API, which can
create and manage projects owned by a specific user. The application would need
to authenticate as a user to create projects on their behalf.

You plan to create development tools that create resources within projects.

API keys

An API key is a simple encrypted string that identifies a Google project for
quota and billing purposes. API keys can be used when calling Google APIs that
don't require authentication, and when using
Google Cloud Endpoints. For security reasons, we recommend using
service accounts instead.